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HARD DISK PASSWORD LOCK 

FIELD OF THE INVENTION 

The invention relates to computer security devices. 
Specifically, this invention relates to a method of encrypting 
data on a removable hard disk. 

BACKGROUND OF THE INVENTION 

Early computer systems were protected by physical secu- 
rity. These computers were kept in locked rooms and often 
had around the clock security or were used around the clock 
because of their extreme cost. The first challenge to com- 
puter security came with remote terminals. The terminals 
were often distributed throughout a building or campus, and 
did not receive the same security as the computer. 

To meet this challenge, computer operating systems were 
equipped with user accounts. Each user account was pro- 
tected by a password. A user at a remote terminal could not 
access the computer without his assigned password. In these 
early systems, the password control formed part of the 
operating system. The computer itself had to remain secure 
or the user account and password security was useless. 

With the advent of personal computers, operating system 
or application software security systems became unreliable. 
An unauthorized user could simply turn off the computer and 
restart it using software from an external source, such as a 
floppy disk. In response to this new threat to security, 
personal computers were equipped with BIOS (Basic Input 
Output System) based software passwords. A BIOS based 
password program runs before control of the computer is 
given to any disk based software. This prevents an unau- 
thorized user from accessing data by starting the computer 
from a floppy disk or using other means to change the disk 
based software. 

While the BIOS based security software is better than disk 
based security software, it still does not protect data 
removed from the computer. An unauthorized user can 
remove a hard disk or other mass storage device from a 
protected computer and read the data using another com- 
puter. Many computers now come with easily removable 
hard disks. This is particularly common in servers and 
portable computers. Removable hard disks make it easier 
than ever to bypass a computer's security by moving data to 
another computer. 

SUMMARY OF THE INVENTION 

The invention provides an encryption circuit for encrypt- 
ing and decrypting data as it travels to and from a hard disk 
or other mass storage device. The encryption circuit can be 
turned on or off under control of the BIOS program and a 
user supplied password. With the present invention, a 
removed hard disk cannot be read without the user supplied 
password and a similar encryption circuit. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Preferred embodiments demonstrating the various objec- 
tives and features of the invention will now be described in 
conjunction with the following drawings: 

FIG. 1 is a block diagram of a typical prior art computer 
system. 

FIG. 2 is a block diagram of a computer system including 
the present invention. 

FIG. 3 is a flow chart showing control of the encryption 
circuit. 
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FIG. 4 is a flow chart showing the test for an encrypted 
hard disk. 

FIG. 5 is a flow chart showing the test for the user 
supplied password. 
5 FIG. 6 is a flow chart showing the method for encrypting 
an unencrypted disk. 

FIG. 7 is a flow chart showing the method for unencrypt- 
ing an encrypted disk. 
)0 FIG. 8 is a block diagram of the encryption circuit. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS OF THE 
INVENTION 

15 Referring to FIG. 1, a computer system according to the 
prior art, consists of a processor 10, requesting data through 
a bus 12. Requests for data from a hard disk 14 are sent by 
the processor 10 over the bus 12 to a disk controller 16. The 
disk controller 16 retrieves the data from the hard disk 14 

20 and returns the data over the bus 12 to the processor 10. 
FIG. 2 shows a block diagram of a computer system 
incorporating the present invention. A processor 20, requests 
data through a bus 22. Requests for data from a hard disk 24 
are sent by the processor 20 over the bus 22 to a disk 

25 controller 26. The disk controller 26 retrieves the data from 
the hard disk 24 and returns the data over the bus 22 to the 
processor 20. The present invention adds an encryption 
circuit 28. Data must pass through encryption circuit 28 to 
travel from hard disk 24 to processor 20, or from processor 

30 20 to hard disk 24. In the preferred embodiment of the 
invention, an encryption circuit 28, is implemented in an 
application specific integrated circuit (ASIC). An ASIC can 
encrypt or decrypt a word of data in a single clock cycle. 
This allows the encryption process to work within the 

35 normal data transfer time and hence be transparent to the rest 
of the computer system. Data is encrypted as it passes 
through encryption circuit 28, as it goes from processor 20 
to hard disk 24. Data is decrypted as it passes through 
encryption circuit 28 as it goes from hard disk 24 to 

40 processor 20. The encryption algorithm is a function of a 
provided password. 

Since the encryption algorithm is a function of the user's 
password, many users can have identical encryption circuit 

45 and not be able to read each other's data without the 
encrypting password. At the same time, encrypted data can 
easily be moved to another machine with the same encryp- 
tion circuit and the same password. As long as the user 
protects his password, the data is secure even though the 

50 encryption algorithm may be well known. 

The password is stored in two locations. It is stored in a 
write only register on the encryption ASIC. The password 
register is non-volatile memory, and is lost each time the 
computer is turned off. The password is also stored at the end 

55 of the boot block on the hard disk. Since the data on the hard 
disk survives power loss, the password is encrypted by itself. 
Hence, an intruder who is able to access the password cannot 
read the password unless he already has the password. The 
encryption circuit simply replicates the encryption algorithm 

60 in hardware to execute it quickly. 

It is possible, if desired by the user, to store the password 
both on the drive and in the computer system. As long as the 
two passwords match the hard disk can be used without 
having to input a password. If the hard disk is removed from 

65 the computer system and placed in another computer 
system, the password must be entered in the new computer 
system before a user can access the data on the hard disk. 
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Therefore, encryption circuit 28 can be identical in mul- Referring to FIG. 8, the encryption circuit 28 includes a 

tiple computers. An encrypted hard disk can only be read on password storage register 110. Password storage register 110 

another computer if the computer operator has the password is both write only and volatile. The register cannot be read 

used to encrypt the disk. and loses its contents when power is lost. The encryption 

As with the BIOS based system password, the software 5 circuit 28 also includes a memory for storing one unen- 

that controls the encryption circuit 28 must run as part of the crypted sector 112. The password and unencrypted sector are 

BIOS before control of the computer is given any disk based combined in exclusive or (XOR) logic 114 and output to a 

software. memory for storing one encrypted sector 116. 

Referring to FIG. 3, the drive security program begins ^ passworc i can be combined with the data to be 

with a power-on password such as exists in many prior art jn encrypted i n many different ways depending on how much 

systems. The system prompts the user for a password 32 and complexitv is desire d. The simplest method is to combine 

then tests to see if the user supplied password matches a ^ first b ' of lhc word with tne firsl bytc of the data 

password stored on the hard disk. If the passwords do not an XQR combinc the second b of ^ ^ 

match the user again receives a witn the second byte of the password with the XOR. When 

word 32. I his loop will continue until the correct password J ? . 

i- j n^u nine -n * * **u t** iJtUm* tu« 15 he las byte of he password is used, the first byte is used 

is supplied. I he BIOS will not start the computer without the . ' * . . ' J 

correct password. If the user supplied password matches the t0 X ° R w ' th the ^ Fhis * contl ™ ed }° the end 

password stored on the hard disk, then the software tests to * e seclor ' A " ew sector a,wa y s be & ins al the ^mmng of 

determine if the hard drive is encrypted 36. Step 36 is the P assword - 

described in more detail in FIG. 4. If the hard disk 24 is „ n Although described above in terms of the preferred 

encrypted, the software prompts the user for hard disk 20 embodiment, the present invention is set forth with particu- 

password 38. Step 38 is shown in more detail in FIG. 5. larity in the appended claims. Such modifications and alter- 

If the hard drive is not encrypted, the software asks if the ati ™ s as would be apparent to one of ordinary skill m the art 

user wants to encrypt the hard drive 40. If the user responds ™ d fa ™ ^ w ' th * he teachl «S s W^aUon shall be 

yes, the drive is encrypted 42. Step 42 is shown in greater „ deemed t0 fal1 Wllhin lhe s P int and sc0 P e of the ™enUon. 

detail in FIG. 6. Then, the encryption circuit 28 is enabled In particular, the preferred embodiment of the invention 

44. If the user responds "no" to the question in step 40, the describes a hard disk. In the near future, it is probable that 

encryption circuit 28 is disabled 46. Then, the normal BIOS computer mass data storage will not be in the form of a 

boot up procedure continues 48. magnetic hard disk but in some form of non-volatile silicon. 

FIG. 4 expands on step 36 in FIG. 3. The system deter- , Q The invention is independent of the technology used to store 

mines if the drive is encrvpted by reading the hard disk " data and an >' mass-storage device is deemed to be within the 

password 50 and comparing it with null 52. If the password s P int of f ne invention, 

is null, the drive is not encrypted 54. If the password is not What 1S claimed !s: 

null, the drive is encrypted. 56. A computer system comprising: 

FIG. 5 expands on step 38 in FIG. 3. The hard disk 35 a CPU; 

password verification routine begins by reading the a mass storage device; 

encrypted hard disk password 60. The system prompts the a bus for coupling the CPU and the mass storage device; 

user for the hard disk password 62, loads the user provided a encryption circuit intercepting data traveling between 

password into the encryption circuit 28, and then encrypts sa i d qp\j and sa f d mass storage device, for encrypting 

the user's entry using itself 64. The system compares the two 40 and decrypting data as it travels to and from said mass 

passwords 66. If there is a match the boot process continues storage device and said CPU. 

68. If not, the system again prompts the user for the hard disk 2. The computer system according to claim 1 further' 

password 62. comprising means for storing a password. 

FIG. 6 expands on step 42 in FIG. 3. The hard disk 3. The computer system according to claim 2 wherein said 

encryption routine begins by prompting the user for a new 45 encryption circuit includes means for encrypting and 

hard disk password 70. Then, the drive seeks the end of the decrypting data according to said password, 

second file allocation table (FAT) 72. The file allocation 4. The computer system according to claim 1 further 

tables are not encrypted. The following loop is repeated: the comprising means for removing said mass storage device, 

encryption circuit is disabled 74; a block is read from the 5. The computer system according to claim 1 further 

hard disk 76; the encryption circuit is enabled 78; the same 50 comprising means for removing said mass storage device 

block is written back to the hard disk 80. After each an d said means for storing a password as a single unit, 

repetition, the system tests for the end of the hard disk 82. 6. A mass storage device for installation in a computer 

If it is not the end of the hard disk, the process 74-80 is comprising: 

repeated. The encryption is complete 84 after encryption of mass storage me dia for storing data; 

the last block on the drive. 55 means for storing a passw0 rd; 

FIG. 7 describes the opposite function, the decryption of mounling means for moun ting said mass storage device in 

an encrypted disk. The hard disk decryption routine begins a computer; and 

by prompting the user for the current hard disk password 90. * . . 

Then, the drive seeks .he end of the second file allocation an encryphon circutt tor encryptmg data us.ng sa.d pass- 

table (FAT) 92. The following loop is repeated: the encryp- 60 ~ J 

Hon circuit is enabled 94; a block is read from the hard disk . « »«^"«« ^ yv> b , b r 

96; the encryption circuit is disabled 98; the same block is mg> , 

written back to the hard disk 100. After each repetition the providing a computer system including a CPU and a mass 

system tests for the end of the hard disk 102. If it is not the storage device connected by a bus; 

end of the hard disk, the process 94-80 is repeated. The 65 requesting a password from a user; 

encryption is complete 104 after encryption of the last block encrypting data, using said password as a key, as it travels 

on the drive. from said CPU to said mass storage device; and 
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decrypting data using said password as a key, as it travels a first use and retrieving said password from storage on 

from said mass storage device to said CPU. subsequent uses. 

8. The method according to claim 7 further comprising 
storing said password and only requesting said password on ***** 
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